usefulness of PaX PAGEEXEC/SEGMEXEC when PAE enabled

Discuss and suggest new grsecurity features

usefulness of PaX PAGEEXEC/SEGMEXEC when PAE enabled

Postby nbareil » Wed Dec 30, 2009 6:23 am

Hi,

Today, on current Linux kernel, is there any interest using PAGEEXEC or SEGMEXEC if PAE is enabled ?

If I look at the patch, almost each time, the pattern looks like that:

+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
+ if (!nx_enabled && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {

If my understanding is correct, nx_enabled is true if the kernel (and the CPU) supports PAE, or running in AMD64/EM64T mode. Right?

Do I miss any protection by not setting this specific option?
nbareil
 
Posts: 3
Joined: Tue May 27, 2003 8:19 am

Re: usefulness of PaX PAGEEXEC/SEGMEXEC when PAE enabled

Postby PaX Team » Wed Dec 30, 2009 12:42 pm

nbareil wrote:Today, on current Linux kernel, is there any interest using PAGEEXEC or SEGMEXEC if PAE is enabled ?
PAGEEXEC is a config time selector for more code than mere non-exec pages, it also covers special reporting code, changing default access rights, etc, it's also a prerequisite for MPROTECT and others. on x86 it has fortunately little to do as far as actual NX bit usage goes and that also means that those users can omit SEGMEXEC as well. however for generic kernels that will run on a diverse set of CPUs you probably want to enable both and let the kernel choose the best one at runtime.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm


Return to grsecurity development

cron